Hi there
I want to block a device from receiving ping icmp packets, I have setup a rule like so but the ping packets are still getting through, I have an ipfire box acting as a gateway in pass through mode
Am I missing a step?
Thanks in advance for your help
Tony
If 192.168.0.0/24 is your green network, this rule may be useless. Usually devices on green ( wired ) are connected by switches. Therefore the client can communicate without the router, inside a network no routing is necessary. FW rules work on connections only going through IPFire.
Thanks for your response Bernhard, I have now tried to setup using the red interface as the ping destination. Are there any great guides on how to do this? I want to send a ping packet from my laptop to the ipfire box on the green interface and the ipfire box should send the ping packet to my Raspberry Pi on the red interface.
Then the response packet should take the reverse route
Thanks
Tony
If you want to ping a device on the internet ( all devices not in the local net, green for example ) the packet is sent to the gateway, according to basic rules
So the way of a Packet to a Raspi connected to the red network is
laptop <—> (IPFire.green, IPFire.red) <—> Raspi
If the connection ( ping ) is initiated by the laptop, the stateful firewall of IPFire allows the way back.
Thanks Bernhard, so for the following details:
Laptop hardcoded to use 192.168.0.10
RPi hardcoded to 192.168.0.8 (red interface)
ipfire sitting on 192.168.0.1 (green interface)
How would I setup ipfire to achieve this? If you have some free time, I would really appreciate a screenshot or two of the firewall rule settings, I’m very much a complete novice with networking 
Thanks
Tony
@tocallaghan , first welcome to the fascinating world of networking and the community of IPFire.
I think, before you configure IPFire you should design your network(s).
Which devices are in the local network(s) ( wired/green, wireless/blue )?
How is the connection to internet ( red interface )?
In short IPFire works as router ( with firewall ) between the internet and the local area. This implies that these networks must be physically ( wires ) and logically ( IPs ) separated. IPFire does the connection.
Cheers Bernhard, it’s a whole new world of possibilities, in terms of what I want to achieve, I have drawn up a simple diagram
The test steps and scope is limited so I can learn everything in baby steps, given the diagram above what would be the steps I would have to take in the web GUI to achieve the desired outcome?
Thanks for your assistance
Tony
have the same subnet on both GREEN and RED is not… advisable
If I understand your drawing right, you want to realize the scenario
This implies some questions:
To achieve the task, some conditions must be met
A possible config would be
trusted network 192.168.0.0/24: RPi 192.168.0.2, IPFire 192.168.0.1
untrusted network 192.168.1.0/24: laptop 192.168.1.2, IPFire 192.168.1.1
To control access laptop —> RPi you have to define port forward rules.
If all connections are initiated by RPi, IPFire works out-of-the-box.
Yes, your understanding is correct, the local zone has been designated as safe, any device can talk to another, only specific devices are allowed to cross into the green zone from red
The ipfire box I have has 4 NICs, one for each ethernet port, eventually the networks would be physically separated.
I will try out your possible solution, thanks Bernhard
That is not a solution feasible with IPFire. I doubt that on the same network segment might work with any firewall appliance.
To clarify: Any FW solution can work if all traffic is forced to go through the FW, only.
For an appliance like IPFire this means, the device must be the single connection point between the networks.
For desktop FWs the application is located between the network layer and the application layer of the device.
Hi Bernhard & Pike
Thanks for your assistance, it has been a massive help, came across this helpful video on YouTube on the topic of port forwarding, I found it very useful as a guide
Cheers
Tony
